Routing Questions for DMZ/Internal LAN

Hi,

We have a new neighbor that has recently moved in our building.  We are considering (and most likely are) going to provide internet access to this person from our pipe.  At the same time we set this up, we intend on splitting off some of our servers into a DMZ.  Our new neighbor's will be supplying us with a Cisco Pix for their routing/security purposes.  I have a few questions on general routing and what can and can't be done.

The IP Space allocated to us includes a /26 and a /24 which is honestly a fairly big waste and came about as a result of our requesting a /24 from the ARIN and our ISP never deallocated the /26 despite our informing them to do so.  Ironically at this point I believe having that extra subnet will be able to help me simplify things a bit when configuring the new design (Granted even now i only need a /29 based on what i have visualized).
                                             
Our current network looks like:   ISP ATM Switch <> ISP Router <> Our Router <> Our Network

ATM switch inside and ISP router outside are connected via ethernet and routed tcp using a /30.  On the inside of the ISP Router they have configured x.x.x.193 /26 and x.x.x.1 /24.  What I'm looking to do is break the the network down to get rid of a hideously overly complex access list on our router.  What I have envisioned is the following:

                                                                     ISP Router
                                                              (x.x.x.193 /26 x.x.x.1 /24)
                                                                           |
                                         ----------------------------------------------------------- (Switch)
                                         |                                 |                                     |
                                (x.x.x.194 /29)              (x.x.x.195 /29)                   (x.x.x.196 /29)
                                   New 1811                        1721                              Their Pix
                                 (x.x.x.2 /24)               (192.168.1.1 /24)               (192.168.2.1 /24)
                                         |                                 |                                     |
                                      DMZ                        Our Network                    Their Network

The problem I see arising is that I do not think the /24 will route down to my DMZ if it is configured on the ISP router meaning that I'd need to break it so that the outside interface has a .2 /30 as a secondary and the inside interface .129 /25 and a bunch of secondarys to fill the rest of the subnet with a lot of wasted space.

Secondly, does the 1721 router need an access list at all if all internal traffic is natted (patted I guess) through the interface ip?

Or Suggest a totally different idea that is better than mine.
                               

caplinktechAsked:
Who is Participating?
 
mikebernhardtCommented:
I pretty much agree. A lower-end layer 3 switch will do what a router is designed to do, but not as well. But it will move packets between ports faster.

Put your router on the OUTSIDE of the switch so you have a point-to-point link with their router and
1. have the ISP remove the /24 from their interface
2. have the ISP change the mask on the /26 to /30. If you can, get them to just use private addressing or a separate /30 between their router and yours and get rid of the public ones completely! If you have to use a /30 out of your addressing, that's OK too.
3. have the ISP put static routes on their router pointing at your router for both the /26 and the /24.

Now you can manage your public addressing however you want without involving them anymore.
0
 
mikebernhardtCommented:
You're right, you can't do that. But why do you need the secondary at all? Just put a route in the ISP router:
x.x.x.0 255.255.255.0 x.x.x.194

The primary address on the ISP router should have a mask of /29, not /26. Save the rest for other purposes.
0
 
Scotty_ciscoCommented:
First off the only real questions I see that you seem to be directly asking are ...

DMZ routes.... and all that needs to be done is a static route to that network pointing to the DMZ network ... guess I am at a loss you have a line and are calling it a switch.... is this a L3 switch or L2 with VLAN and trunking going on?

If it were me this is what I would do.  The 1721 will do trunking I would create a trunk on the switch and put the DMZ on one vlan your network on another and their network on a 3rd.

In that case the DMZ routes would be known because they would be a connected route to the 1721.

The second question is do I need an ACL for all addresses that are using the NAT/PAT ... your answer is yes that is the only way that you will tell the router what to NAT or not.

I would also put ACL's on the VLAN interfaces in the 1721 as to keep traffic seperated.

Thanks
Scott

PS let me know if I missed the whole point of the exersise.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
caplinktechAuthor Commented:
Hi Mike,

Part of my problem is I don't have access to the ISP router, I could hack around the password, but I'd rather not get in trouble.  I did that once and I got a phone one call asking why the last modification date was different from the one in their files :-).  I'm considering just calling them and trying to get a tech on the phone at the same time I make my changes to prevent much downtime but I trying to see if I could avoid the hassle of dealing with them.  The /24 wasted ips are the ones that bother me the most, so I may just end up calling them.

Scott:

I am aware I need the standard NAT acl, but I meant in terms of "general" acl (you know the long boring permit tcp any any established type).  The fact that the traffic is natted should prevent any type of attack on the internal network.

As for the reason I'm not bothering with trunking is I felt this configuration would be much simplier and he already has the pix 501 from using it in his old building and we are implementing wireless networking for our network.  Since the 1811W will give us that capability as well as allow us to have a spare router (with some trunking and reconfig) on site, we felt it was worth the extra couple hundred bucks.   PS I kind of put the 2 routers (the 1721 and 1811 backwards in the diagram).


And Since Mike brought up the mask question, will pairing that /29 with the /26 cause a problem assuming I don't try and make this a joint effort with the ISP?  I believe the leading bits are identical on both subnets.
0
 
Scotty_ciscoCommented:
oh ok so ISP owned router.... if you run a router inside and route basically all internal networks to your router and then trunk you are still fine with doing this.

nat will maintain address information over multipule hops so no problems there and if you are doing NAT you are correct in stating that the ACL's are less important as no IP address are openly available on the internet.  Nat does offer some protection not enough that I would consider that my only line of defense but enough that I would not worry about every little threat that comes down the pipe as it were (-Grin-)

Thanks
Scott
0
 
mikebernhardtCommented:
It will probably work OK since they are all within the /29. There will be some issues if the routers communicate with each other at all because they will have different broadcast addresses.  Don't try any dynamic routing between the ISP router and your own.
but if you can get the ISP to change it, so much the better. I hate how they seem to give people addressing and then make it impossible to use. In your case, YOU own the ARIN /24 and they'd better do what you want them to do with it.
0
 
caplinktechAuthor Commented:
Hi Mike,

If I get the ISP involved, can I move the x.x.x.1 ip in my internal interface or does that ip still need to be on the ISP router?

Scott,

What would you suggest would be a good ACL to apply on that router as the grin seems to indicate that you seem to have a standard one in mind.
0
 
Scotty_ciscoCommented:
Here is a basic example now of course you can go into great detail but this will get you started

ip access-list extended isp-access-in
 deny   ip host 255.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.0.31.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 208.30.64.0 0.0.7.255 any
 deny   ip 192.35.174.0 0.0.1.255 any
 deny   ip 192.35.176.0 0.0.3.255 any
 deny   icmp any any
 permit tcp any Your.ip.range 0.0.0.x established
 permit tcp any Your.ip.range 0.0.0.x established
 permit tcp any any eq (service repeated as required)
 permit udp any host (as required)
 deny   udp any any eq 1993 log
 permit tcp any any gt 1023
 permit udp any any gt 1023
 deny   ip any any log
0
 
caplinktechAuthor Commented:
Does that get applied on the inside or outside interface.  I recognize the loopback or internal network address but you have several denies for public ip ranges, are these known published problem zones or one from your personal experience or something entirely different.

Is UDP 53 not required for DNS.  I always forget how DNS works, if it 53 to 53 or random above 1023 to 53 and replies back above 1023.  Its the one service i never get right.
0
 
Scotty_ciscoCommented:
all good questions... I would put that on the outside interface with access-group isp-access-in in command

The reason for the private addresses is spoofing protection most useful in say a cable access or shared access infrastructure.  You are correct in stating you need udp 53 for DNS but I would only open it to one internal address that is your DNS server permit udp any host (as required) eq 53 like that provide some filtering for security also force your employee's and corprate traffic to hit a local DNS providing better optimization and tracking.

the destination port on DNS is always 53 the reply may come on any port and out is not the problem it is inbound that you have here so that is the issue.

Thanks
scott
0
 
mikebernhardtCommented:
>If I get the ISP involved, can I move the x.x.x.1 ip in my internal interface or does that ip still need to be on the ISP router?
  Definitely move it to your inside router. It doesn't need to be on their router at all-- just a route pointing to your router.

Regarding DNS, the destination is always UDP 53, but the source could be either 53 or >1023, depending on the version and how it was configured. If you have your own DNS server then you also need to allow TCP 53 though, because occasionally BIND will use it for queries and the RFC requires it for that. TCP queries will always be sourced from >1023. But TCP 53 is also used for zone transfers. If your DNS server gets queried from outside, you can configure the server not to respond to zone transfer requests if you want to. If your DNS server is never queried from outside, just allow
permit udp any eq 53 host [your dns server]
permit tcp any eq 53 host [your dns server] gt 1023

If you don't have a DNS server (everyone talks to the ISP's DNS server) then you don't need the TCP part:
permit udp any eq 53 any
0
 
mikebernhardtCommented:
By the way, I didn't know about the requirement for TCP 53 until recently. I always only allowed UDP 53. Then I posted a question on the BIND users group and I was lambasted for not allowing TCP 53 through our firewall. The idea is to allow TCP 53 and then tell the server who can request zone transfers.
0
 
caplinktechAuthor Commented:
Half my problem with this stuff is I don't do it enough anymore to trust myself, so another petty question.

If I get the ISP involved, and have the /26 changed to /29 on the ISP router, I can then also have the remaining subnets routed from the ISP router down to .194.  Assign those subnets to subinterfaces on the .194 router, VLAN and trunk it up and I should be good to go there as well correct?

Now only if I had an actual use for those extra ips....
0
 
Scotty_ciscoCommented:
as long as you have a static from the ISP yes you could technically use private addresses as it is a transit network anyway but not a good practice.

Thanks
Scott
0
 
mikebernhardtCommented:
They just need to have routes pointing to the routers where it will be used. For the /26, same thing. The easiest thing would be if you had some sort of layer 3 inbetween their router and yours. Can your switch do any layer 3? Then you could let them just have static routes for the /26 and /24 pointing to the switch, and the device you control can be more specific.
0
 
caplinktechAuthor Commented:
No it is a Cisco 2950 layer 2 switch.  but now that you mention that, what I may do is take Scott's original idea and create VLans and a trunk for the DMZ and internal network and throw the 1760 in front of the 1811W to due exactly what you mention.

Which brings up my next curiousity only question, is there anything a router can do that a Layer 3 switch can't?

0
 
Scotty_ciscoCommented:
Depends ..... there are a few things I have ran into ... GRE tunnel's they say they will do them but sometimes they are flaky also with routing protocols sometimes you run into issues... and of course the obvious on lower end switches terminate WAN connections LOL.  I love the cisco 3750's with the EMI code they rock.  If you just routing between lan segments a router will never touch a L3 switch.  Multicast will kick the snot out of a router were a switch will just handle it.... kind of like the expression use the right tool for the job.  hi level traffic lan goes on a switch.  Routers tend to do accounting and security better than switches that I have used in a general sense if you exlude the CAT6500 and ones like that which are more like a multi port router switch combined.

Thanks
Scott
0
 
caplinktechAuthor Commented:
Hi Mike,

Agreed and done last night with less of a headache from the ISP than expected including getting the /30.

Now, I am running into a weird issue with the Pix.  If you think I should open a new topic I will, but will ask here anyway.

For the pix I reset the config to factory defaults.  Enabled both interfaces, assigned ips to both interfaces.

Put a default route on the unit route outside 0.0.0.0 0.0.0.0 1

It pngs everything outside the network perfectly fine, however when attempting to ping from the internal interface I get nothing.  I'm not as familiar with the Pix CLI as I am with IOS but I established nat with:

global (outside) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0 0 0

still I can ping everything outside, but if I do a ping inside x.x.x.193 (<- next hop router, mine) I get nothing.  The inside network can ping the pix but for some reason the pix won't pass the traffic from the inside to the outside.

Any clues?
0
 
mikebernhardtCommented:
I would open a new question. You're now dealing with a PIX problem which is entirely different from the original question. I haven't done NAT on PIX so someone else may be able to help you better/faster.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.